m-dwyer / cryptoblocker Goto Github PK

Got this message today after my server tried to update
User NT AUTHORITY\SYSTEM attempted to save C:\Windows\SoftwareDistribution\Download\a51458c204d30e1b291af16256441875\inst\x86_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.3.9600.18341_none_a6f94f2e32865993.manifest to C:\ on the BATMAN server. This file is in the “CryptoBlockerGroup” file group, which is not permitted on the server.

On servers with many shares, removal of the share-level deny ACL applied when an infection is detected is very tedious. By modifying your KillUserSession.ps1 script, I was able to write a script to restore user share access after an infection has been cleaned. I'm sharing my script below for your review and possible inclusion in your project.

Function RemoveDenySharePermission ([string] $ShareName, [string] $DomainUser)
{
    $domainUserSplit = $DomainUser.Split("\")

    $shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor | Select -ExpandProperty Descriptor

    $sclass = [wmiclass] "ROOT\CIMV2:Win32_SecurityDescriptor"
    $newsd = $sclass.CreateInstance()
    $newsd.ControlFlags = $sd.ControlFlags

    foreach ($oace in $sd.DACL)
    {
        if ($oace.Trustee.Domain -ne $domainUserSplit[0] -or $oace.Trustee.Name -ne $domainUserSplit[1]) {
            $newsd.DACL +=  [System.Management.ManagementBaseObject] $oace
        }
    }

    $share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $setResult = $share.SetSecurityDescriptor($newsd)

    #return $setResult.ReturnValue
}

# Verify the script is being run as an administrator
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”))
{
    Write-Warning “You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!”
    Break
}

# Request the username
Write-Host "This script will remove the Deny ACLs that were created on shares`nto protect against crypto virus infection.`n"
$DomainUser = Read-Host -Prompt "User account (DOMAIN\User)"

# Let's try altering share permissions..
$Username = $DomainUser.Split("\")[1]

$affectedShares = Get-WmiObject -Class Win32_Share |
                    Select Name, Path, Type |
                    Where { $_.Type -eq 0 }

$affectedShares | % {
    Write-Host "Removing deny ACL for [$DomainUser] on share [$($_.Name)]..."
    RemoveDenySharePermission -ShareName $_.Name -DomainUser $DomainUser
}

Write-Host $affectedShares

CryptoBlocker's current ruleset includes a rule to look for and alert when files matching *crypt* are found. This causes problems in the following scenarios:

1. Copying DeployCryptoBlocker.ps1 to update current rulesets from a volume that is monitored. The script is detected as a malicious file and blocked.
2. Running DeployCryptoBlocker.ps1 to update current rulesets from a volume that is monitored. The script produces a log file at $env:Temp\cryptoblocker-eventnotify.txt, which is detected as a malicious file and blocked.

In both cases, the current ruleset appears to trigger based on the rule *crypt*. A possible solution might be to create an exclusion rule for these specific files.

I've had some great success with this script so far, so many thanks to all involved. The problem I've discovered is that the "KillUserSession.ps1" script fails to set ACLs on cluster shares. Whenever the __CLASS property for the share is Win32_ClusterShare as opposed to Win32_Share the script returns a status code of 2310, which translates to "This shared resource does not exist".

Below are the object properties of a working Win32_Share:

Status : OK
Type : 0
Name : AWB$
__GENUS : 2
__CLASS : Win32_Share
__SUPERCLASS : CIM_LogicalElement
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Share.Name="AWB$"
__PROPERTY_COUNT : 10
__DERIVATION : {CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : DMHFSCLS02
__NAMESPACE : root\cimv2
__PATH : \DMHFSCLS02\root\cimv2:Win32_Share.Name="AWB$"
AccessMask :
AllowMaximum : True
Caption : AWB$
Description :
InstallDate :
MaximumAllowed :
Path : C:\AWB
Scope : System.Management.ManagementScope
Options : System.Management.ObjectGetOptions
ClassPath : \DMHFSCLS02\root\cimv2:Win32_Share
Properties : {AccessMask, AllowMaximum, Caption, Description...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :

Below are the object properties of a non-working Win32_ClusterShare:

__GENUS : 2
__CLASS : Win32_ClusterShare
__SUPERCLASS : Win32_Share
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_ClusterShare.Name="\\BN_NT_NEPTUNE\Users"
__PROPERTY_COUNT : 11
__DERIVATION : {Win32_Share, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : DMHFSCLS02
__NAMESPACE : root\cimv2
__PATH : \DMHFSCLS02\root\cimv2:Win32_ClusterShare.Name="\\BN_NT_NEPTUNE\Users"
AccessMask :
AllowMaximum : True
Caption : Users
Description :
InstallDate :
MaximumAllowed :
Name : \BN_NT_NEPTUNE\Users
Path : m:\LN-NT-PANDORA Data\Users
ServerName : BN_NT_NEPTUNE
Status : OK
Type : 0
Scope : System.Management.ManagementScope
Options : System.Management.ObjectGetOptions
ClassPath : \DMHFSCLS02\root\cimv2:Win32_ClusterShare
Properties : {AccessMask, AllowMaximum, Caption, Description...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :

I've worked on this issue all morning with no success as yet, can anyone advise as to why this may be and how I could work around this problem?

Kind regards,

Matt

When viewing the GPOs settings i get...

An error occurred while generating report:
Object reference not set to an instance of an object.

I am on a 2012 r2 domain

`New-Object : Cannot find type [Microsoft.GroupPolicy.GPDomain]: verify that the assembly containing this type is
loaded.
At C:\Users\administrator\Downloads\CryptoBlocker-master (1)\CryptoBlocker-master\BlockFileExtensionsGPO.ps1:13 char:17

• $gpDomain = New-Object -Type Microsoft.GroupPolicy.GPDomain
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidType: (:) [New-Object], PSArgumentException
  • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Microsoft.GroupPolicy.GPDomain]: verify that the assembly containing this type is
loaded.
At C:\Users\administrator\Downloads\CryptoBlocker-master (1)\CryptoBlocker-master\BlockFileExtensionsGPO.ps1:13 char:17

• $gpDomain = New-Object -Type Microsoft.GroupPolicy.GPDomain
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidType: (:) [New-Object], PSArgumentException
  • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [Microsoft.GroupPolicy.GPDomain]: verify that the assembly containing this type is
loaded.
At C:\Users\administrator\Downloads\CryptoBlocker-master (1)\CryptoBlocker-master\BlockFileExtensionsGPO.ps1:13 char:17

• $gpDomain = New-Object -Type Microsoft.GroupPolicy.GPDomain
  

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidType: (:) [New-Object], PSArgumentException
  • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Success Restart Needed Exit Code Feature Result

True No NoChangeNeeded {}
Get-GPO : The "Block File Extensions - Workstations" GPO was not found in the zzz.int domain.
Parameter name: gpoDisplayName
At C:\Users\administrator\Downloads\CryptoBlocker-master (1)\CryptoBlocker-master\BlockFileExtensionsGPO.ps1:40 char:20

• $existingGpo = Get-GPO -Name $GpoName
  

•                ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Microsoft.GroupPolicy.GPDomain:GPDomain) [Get-GPO], ArgumentException
  • FullyQualifiedErrorId : GpoWithNameNotFound,Microsoft.GroupPolicy.Commands.GetGpoCommand

DisplayName : Block File Extensions - Workstations
GpoId : f9b07a59-16c2-4e45-9498-88d118401db1
Enabled : True
Enforced : False
Order : 2
Target : DC=zzz,DC=int
GpoDomainName : zzz.int

True No NoChangeNeeded {}
Get-GPO : The "Block File Extensions - 2K3 TS" GPO was not found in the zzz.int domain.
Parameter name: gpoDisplayName
At C:\Users\administrator\Downloads\CryptoBlocker-master (1)\CryptoBlocker-master\BlockFileExtensionsGPO.ps1:40 char:20

• $existingGpo = Get-GPO -Name $GpoName
  

•                ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Microsoft.GroupPolicy.GPDomain:GPDomain) [Get-GPO], ArgumentException
  • FullyQualifiedErrorId : GpoWithNameNotFound,Microsoft.GroupPolicy.Commands.GetGpoCommand

DisplayName : Block File Extensions - 2K3 TS
GpoId : f43b6c6b-e6aa-4301-9b42-85a80976e4ec
Enabled : True
Enforced : False
Order : 3
Target : DC=zzz,DC=int
GpoDomainName : zzz.int

True No NoChangeNeeded {}
Get-GPO : The "Block File Extensions - 2K8+ TS" GPO was not found in the zzz.int domain.
Parameter name: gpoDisplayName
At C:\Users\administrator\Downloads\CryptoBlocker-master (1)\CryptoBlocker-master\BlockFileExtensionsGPO.ps1:40 char:20

• $existingGpo = Get-GPO -Name $GpoName
  

•                ~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Microsoft.GroupPolicy.GPDomain:GPDomain) [Get-GPO], ArgumentException
  • FullyQualifiedErrorId : GpoWithNameNotFound,Microsoft.GroupPolicy.Commands.GetGpoCommand

DisplayName : Block File Extensions - 2K8+ TS
GpoId : b62b8991-a04a-468b-b266-9efe29ba4737
Enabled : True
Enforced : False
Order : 4
Target : DC=zzz,DC=int
GpoDomainName : zzz.int
`

exceptions are being wiped out when script runs again anyway to either keep whats there before the script runs again or how would I put global exceptions?

thanks

We're seeing the script fail to create the file screen group when we run it. I've dug into the script and suspect that the FILESCRN.EXE ADD command is not liking the list of extensions that it's being passed. The server that this is being run on is running Server 2008 with PowerShell 4.0, which I believe is supported?

_This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell
he FileServerResourceManager module to administer File Server Resource Manager functionality.
The parameter is incorrect.

Add new file groups.

The syntax of this command is:

Filescrn Filegroup Add /Filegroup:FG_NAME /Members:"MEMBERS"
[/Nonmembers:"NONMEMBERS"] [/Remote:MACHINE]

/Filegroup:FG_NAME Add file group with name FG_NAME.

/Members:"MEMBERS" Configure file group member patterns. MEMBERS is
a list of file name patterns separated by '|'.

/Nonmembers:"NONMEMBERS" Configure file group non-member patterns.
NONMEMBERS is a list of file name patterns
separated by '|'.

/Remote:MACHINE Perform the operation on machine MACHINE.

Example:
Filescrn Filegroup Add /Filegroup:"Log Files" /Members:".log|.history"__

Re-ran the file screen script on 3/9/18 and 6/9/18 - worked on 3/9, but as of 6/9 the updates pulled from the fsrm.experiant.ca api break the import of file groups into FSRM, subsequently the creation of the File screen templates and filescreens fail.

Group3 fails to create due to the array being 4096 chars "long" (including 1 char per ',' -1 for the final entry) however testing during the day I have also seen the issue with Group6.

Reducing the string limit to 4095 in New-CBArraySplit function resolves the issue.

The script fails when it has to create a filescreen group with the command:
&filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"

I think this issue started showing recently, maybe because the list of extensions has become to large?

Hello,

I am very interested in your project but I just wanted to extract the script to add "deny permission" for user but I can't find it.
In fact I am already running FSRM and I have files screening already configured, it's why I just need the blocking script.
Can you share it ?

Thanks

Any possibility to make this work for servers where active directory is not installed?

I tried running your script yesterday on a server with an outdated version of PowerShell (unfortunately I didn't make note of what version) on Windows Server 2008 R2 and it failed, not knowing what the Install-WindowsFeature or Add-WindowsFeature cmdlets were. After installing PowerShell v4.0, everything started working normally.

Is it possible to add a check to the script to see which version of PowerShell it's running in and if it's too old, to point the user to Windows Management Framework (which includes PowerShell) from here: https://www.microsoft.com/en-ca/download/details.aspx?id=40855